Checklist and audit trail for compliance with Data Protection Act ...

Data Protection Act (DPA) 1998 Key Principles
Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is
about, unless there is legislation or other overriding legitimate reason to share the
information (for example, the prevention or detection of crime). It is an offence for Other
Parties to obtain this personal data without authorisation.
Individuals have a right of access to the information held about them, subject to certain
exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary.(Kept up to date)
Personal information may not be transmitted outside the European Economic Area unless the
individual whom it is about has consented or adequate protection is in place, for example by
the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organisations that only do very simple processing, and for
domestic use, all entities that process personal information must register with the
Information Commissioner's Office.
Entities holding personal information are required to have adequate security measures in
place. Those include technical measures (such as firewalls) and organisational measures (such
as staff training).
Subjects have the right to have factually incorrect information corrected (note: this does not
extend to matters of opinion).
Definitions
Personal Data - Any data which can be used to identify a living person. This includes names,
birthday and anniversary dates, addresses, telephone numbers, fax numbers, email addresses and
so on. It applies only to that data which is held, or intended to be held, on computers ('equipment
operating automatically in response to instructions given for that purpose'), or held in a 'relevant
filing system'. This includes paper filing systems.
Strong Password – Password which is 8 characters minimum length, contains upper and lower
case alphabetical characters and numbers or punctuation characters. It should not contain
dictionary words, the owner’s date of birth or car registration number.
Encryption – Process of transforming information (referred to as plaintext) using an algorithm
(called a cipher) to make it unreadable to anyone except those possessing special knowledge,
usually referred to as a key.
What Constitutes a Successful DPA Audit?
Schools should have a data security policy that is relevant to the school and it should be
reviewed regularly. If schools do not answer “yes” to all the questions posed in this
checklist they are not fully compliant with Brent Schools’ Data Security Strategy.
Issue 3.1 By K Bailey, 25-Nov-09